Open Access

Detecting Distributed Network Traffic Anomaly with Network-Wide Correlation Analysis

EURASIP Journal on Advances in Signal Processing20082009:752818

Received: 22 October 2007

Accepted: 20 August 2008

Published: 11 September 2008


Distributed network traffic anomaly refers to a traffic abnormal behavior involving many links of a network and caused by the same source (e.g., DDoS attack, worm propagation). The anomaly transiting in a single link might be unnoticeable and hard to detect, while the anomalous aggregation from many links can be prevailing, and does more harm to the networks. Aiming at the similar features of distributed traffic anomaly on many links, this paper proposes a network-wide detection method by performing anomalous correlation analysis of traffic signals' instantaneous parameters. In our method, traffic signals' instantaneous parameters are firstly computed, and their network-wide anomalous space is then extracted via traffic prediction. Finally, an anomaly is detected by a global correlation coefficient of anomalous space. Our evaluation using Abilene traffic traces demonstrates the excellent performance of this approach for distributed traffic anomaly detection.


Excellent PerformanceAnomaly DetectionAbnormal BehaviorFull ArticleTraffic Signal

Publisher note

To access the full article, please see PDF.

Authors’ Affiliations

Key Lab of Broadband Optical Fiber Transmission and Communication Networks, University of Electronic Science and Technology of China (UESTC), Chengdu, China


© Li Zonglin et al. 2009

This article is published under license to BioMed Central Ltd. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.